OISF
diff --git a/‎tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap‎
121 KB b/‎tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap‎
121 KB
diff --git a/‎tests/socks/bug-4965-socks-http-01/test.yaml‎
Lines changed: 33 additions & 0 deletions b/‎tests/socks/bug-4965-socks-http-01/test.yaml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎tests/socks/bug-4965-socks-tls-02/socks5-localhost3-tcp-1080.pcap‎
85.3 KB b/‎tests/socks/bug-4965-socks-tls-02/socks5-localhost3-tcp-1080.pcap‎
85.3 KB
diff --git a/‎tests/socks/bug-4965-socks-tls-02/test.yaml‎
Lines changed: 40 additions & 0 deletions b/‎tests/socks/bug-4965-socks-tls-02/test.yaml‎
Lines changed: 40 additions & 0 deletions
@@ -0,0 +1,33 @@
+requires:
+  min-version: 8
+
+args:
+- --set app-layer.protocols.socks.tcp.detection-ports.dp=9200
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_methods.request[0]: "No authentication"
+        socks.auth_methods.request[1]: "No authentication"
+        socks.auth_methods.response: "No authentication"
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.connect.domain: "eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion"
+        socks.connect.port: 80
+        socks.connect.response: "Success"
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/stld/2ed742b9631a445a90864552c8b213a9?u=YWRtaW4%3D&p=VVNFUi1QQw%3D%3D&i=ODQuMTcuNDguMTgy&co=R2VybWFueSAoREUp&ci=RnJhbmtmdXJ0IGFtIE1haW4%3D&t=Y2hyaWJvdHM%3D"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: http
+        app_proto_orig: socks
@@ -0,0 +1,40 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_methods.request[0]: "No authentication"
+        socks.auth_methods.request[1]: "GSSAPI"
+        socks.auth_methods.request[2]: "Username/Password"
+        socks.auth_methods.response: "Username/Password"
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_userpass.user: proxyuser
+        socks.auth_userpass.pass: securepassword
+        socks.auth_userpass.response: "Success"
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.connect.ipv4: 35.212.0.44
+        socks.connect.port: 443
+        socks.connect.response: "Success"
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: suricata.io
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: tls
+        app_proto_orig: socks